Chapter 15 Unknown User Policy
Posture Validation and the Unknown User Policy
15-12
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Note If the credentials included in a posture validation request do not satisfy any NAC
databases in the Selected Databases list, Cisco Secure ACS rejects the posture
validation request.
For more information about NAC databases, including information about
mandatory credential types, see Chapter 14, “Network Admission Control”.

Required Use for Posture Validation

Use of the Unknown User Policy is required for posture validation. With every
posture validation request, regardless of the user type, Cisco Secure ACS uses the
Unknown User Policy to determine which NAC database is to process the request.
This behavior supports changes to the configuration of NAC-client computers,
especially when additional NAC-compliant applications have been installed on
the computers. Consider the following scenario:
1. A NAC-client computer is added to the network. This computer has CTA
installed with no NAC-compliant applications.
2. When Cisco Secure ACS performs posture validation for the new computer,
it uses a NAC database that only requires the credentials of CTA.
Cisco Secure ACS creates a user account corresponding to the NAC-client
computer.
3. A NAC-compliant application is added to the computer, such as Cisco
Security Agent (CSA).
The mandatory credential types of the NAC database first used with the computer
are still satisfied by the credentials in posture validation requests from it; however,
to evaluate the posture of the computer using CSA credentials in addition to CTA
credentials, you want a NAC database whose mandatory credentials types include
CTA and CSA credentials. By ordering NAC databases carefully on the Selected
Databases list, you can ensure that each posture validation request is handled by
a NAC database with the most restrictive mandatory credential types and,
therefore, the most applicable policies.